The article section regarding Increase the amount of user ID bits states:
"Messing with the number of bits in the user ID instead of the password has another huge advantage. Ready for this, user IDs do not need to be kept secret. .... A cybercriminal would be hard pressed to gather everyone's user ID from sticky notes stuck to monitors."
A cybercriminal intruding from outside of the premises, e.g., only via a network, would be equally hard-pressed to gather everyone's passwords from sticky notes stuck to monitors, too.
The reason that passwords recorded on sticky notes is "against the rules" is that doing so increases insider risk. When credentials are used only to thwart "outsiders", whether they are written on a note that is kept at hand by the user(s) is largely irrelevant -- unless and until the intrusion becomes the physical presence of the "outsider" or an "insider" provides those credentials to them. (I've read and used credentials included in the instructions which were attached to fax machines.)
IIRC, Mr. Herley shows that increasing the possible number of user-IDs significantly beyond the number of user-IDs which are in use has the greatest benefit. That probably would entail increasing the number of bits (or bytes) in the possible user-IDs, thus in all user-IDs, of course.
What credentials boil down to is that whether the user ID can and should be longer and/or more complex, and the password can possibly be shorter, something significant must be kept secret or there is no point in using a "user-name + password" combination to secure anything. Else, it is like having a locked padlock left with the key inserted into it.
Keep Up with TechRepublic